4. IPSec spd.conf automatic creation modification

IPSec spd.conf automatic creation modification

  • S

    Hi All,
    I have 2 Lan interfaces routing all traffic through an IPSec Tunnel.
    The LAN interface is still reachable from the LAN, however the OPT1 interface is not reachable due to the automatic added routes when a IPSec tunnel is created.
    I am using PFSense 2.1.5 as editing the routes for IPSec is impossible with 2.2

    The auto added routes which make the interface still reachable are generated through file: /etc/inc/vpn.inc
    from line 847 to 866 (see below:
    /* generate spd.conf /
    $spdconf = "";
    $natfilterrules = false;
    if (is_array($a_phase2) && count($a_phase2)) {
    /     Try to prevent people from locking themselves out of webgui. Just in case. */
    if ($config['interfaces']['lan']) {
    $lanip = get_interface_ip("lan");
    if (!empty($lanip) && is_ipaddrv4($lanip)) {
    $lansn = get_interface_subnet("lan");
    $lansa = gen_subnet($lanip, $lansn);
    $spdconf .= "spdadd -4 {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n";
    $spdconf .= "spdadd -4 {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n";
    }
    $lanipv6 = get_interface_ipv6("lan");
    if (!empty($lanipv6) && is_ipaddrv6($lanipv6)) {
    $lansnv6 = get_interface_subnetv6("lan");
    $lansav6 = gen_subnetv6($lanipv6, $lansnv6);
    $spdconf .= "spdadd -6 {$lanipv6}/128 {$lansav6}/{$lansnv6} any -P out none;\n";
    $spdconf .= "spdadd -6 {$lansav6}/{$lansnv6} {$lanipv6}/128 any -P in none;\n";
    }

    I am trying to modify the file so it does add this route for an OPT1 interface as well.
    Can someone help out? do I just change "lan" to "opt1" or what is the proper name PFSense uses to get these variables for an optional interface?
    And can I just put these lines below the initial lines?

    192.168.12.0/22 is my LAN interface
    10.11.15.0/24 is my OPT1 interface

    Basically what I am trying to achieve is to add these 2 lines to the spd.conf:
    spdadd -4 10.11.15.1/32 10.11.15.0/24 any -P out none;
    spdadd -4 10.11.15.0/24 10.11.15.1/32 any -P in none;

    These 2 lines below get autoimatically generated which makes it possible to still talk to the LAN interface when having an IPSec tunnel:
    spdadd -4 192.168.12.1/32 192.168.12.0/22 any -P out none;
    spdadd -4 192.168.12.0/22 192.168.12.1/32 any -P in none;

    Thanks
    Sebastian

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy